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Abstract — We  investigate  the  impact  of  node  capture  attacks  on 
the  confidentiality  and  integrity  of  network  traffic.  We  map  the 
compromise  of  network  traffic  to  the  flow  of  current  through 
an  electric  circuit  and  propose  a  metric  for  quantifying  the 
vulnerability  of  the  traffic  using  the  circuit  mapping.  We  compute 
the  vulnerability  metric  as  a  function  of  the  routing  and  the 
cryptographic  protocols  used  to  secure  the  network  traffic.  We 
formulate  the  minimum  cost  node  capture  attack  problem  as  a 
nonlinear  integer  programming  problem.  Due  to  the  NP-hardness 
of  the  minimization  problem,  we  provide  a  greedy  heuristic  that 
approximates  the  minimum  cost  attack.  We  provide  examples  of 
node  capture  attacks  using  our  vulnerability  metric  and  show 
that  the  adversary  can  expend  significantly  less  resources  to 
compromise  target  traffic  by  exploiting  information  leakage  from 
the  routing  and  cryptographic  protocols. 

I.  Introduction 

The  successful  commercialization  of  many  applications  of 
wireless  networks  relies  on  the  assurance  of  the  confidentiality 
and  integrity  of  the  data  communicated  through  the  network. 
Confidentiality  is  defined  as  the  ability  to  keep  data  secret 
from  all  but  a  set  of  authorized  entities,  and  integrity  is  defined 
as  the  ability  to  verify  that  data  has  not  been  maliciously  or 
accidentally  altered  while  in  transit  [1].  Recent  research  has 
demonstrated  that  these  properties  can  be  efficiently  compro¬ 
mised  by  physically  capturing  network  nodes  and  extracting 
cryptographic  keys  from  their  memory  [2].  Such  node  capture 
attacks  are  possible  due  to  the  potential  unattended  operation 
of  wireless  nodes  and  the  prohibitive  cost  of  tamper-proof 
hardware  in  portable  devices  [2].  Using  the  cryptographic 
keys  recovered  in  a  node  capture  attack,  an  adversary  can 
compromise  the  confidentiality  and  integrity  of  any  messages 
secured  using  the  compromised  keys. 
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Recent  literature  [2]— [5]  on  symmetric  key  assignment  [1] 
for  resource-constrained  devices  has  focused  on  node  capture 
attacks  in  which  an  adversary  chooses  the  captured  nodes 
independently  at  random.  In  our  previous  work  [6],  [7],  we 
showed  that  an  intelligent  adversary  can  reduce  the  resource 
expenditure  required  for  the  node  capture  attack  using  infor¬ 
mation  leaked  from  the  key  assignment  protocol.  In  particular, 
the  adversary  can  learn  which  keys  are  assigned  to  individual 
nodes  in  the  network  by  eavesdropping  on  or  participating  in 
the  secure  link  establishment  protocol  [7]. 

For  symmetric  key  assignment  in  wireless  sensor  and  ad- 
hoc  networks,  node  capture  attacks  aim  at  the  compromise 
of  individual  node-to-node  wireless  links  [2] — [7] .  However, 
a  message  traversing  multiple  links  between  a  source  and 
destination  node  is  compromised  if  any  of  the  traversed  links 
in  the  route  becomes  insecure.  The  overall  security  of  a  routed 
message  is  thus  at  best  that  of  the  least  secure  or  most 
vulnerable  link  traversed  by  the  message.  Hence,  the  impact  of 
the  node  capture  attack  is  a  function  of  both  the  cryptographic 
protocol  which  provides  link  security  and  the  routing  protocol 
which  determines  the  links  traversed  by  a  given  message. 

In  this  paper,  we  use  the  vulnerability  of  network  traffic  as 
a  measure  of  the  adversary’s  ability  to  compromise  a  mes¬ 
sage  traversing  a  particular  route.  By  observing  the  network 
topology  and  inferring  information  from  the  routing  and  key 
assignment  protocols,  an  intelligent  adversary  can  analyze  the 
vulnerability  of  traffic  and  capture  the  nodes  which  maximize 
the  compromise  of  network  traffic. 

However,  there  is  a  resource  expenditure  associated  with  the 
capture  of  nodes  and  extraction  of  keys  from  their  memory. 
Hence,  the  optimal  attack  strategy  is  that  which  captures  a 
set  of  nodes  with  minimum  total  resource  expenditure.  This 
is  in  contrast  to  wiretapping  attacks  in  routing  or  secure 
network  coding  [8],  [9]  which  aim  to  tap  a  set  of  links 
with  minimum  total  resource  expenditure.  An  adversary  with 
bounded  resources  will  thus  rely  on  an  efficient  node  capture 
algorithm  which  minimizes  the  total  resource  expenditure.  As 
we  show  in  this  paper,  the  joint  consideration  of  information 
from  the  routing  and  key  assignment  protocols  can  lead  to  a 
significant  reduction  in  resource  expenditure  compared  to  node 
capture  attacks  using  routing  or  key  assignment  information 
separately. 
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In  this  paper,  we  thus  address  the  problem  of  quantifying 
the  minimum  resources  required  in  order  to  compromise  the 
network  traffic  of  a  target  set  of  source -destination  pairs 
by  jointly  considering  information  from  the  routing  and  key 
assignment  protocols.  Alternatively,  we  show  the  worst  case 
impact  of  a  node  capture  attack,  given  a  specific  amount  of 
resources  available  to  the  adversary. 

A.  Our  Contributions 

The  contributions  of  this  work  are  summarized  as  follows. 

•  We  map  the  compromise  of  network  traffic  to  the 
flow  of  current  through  an  electric  circuit  and  derive 
a  vulnerability  metric  using  circuit  analysis.  Focusing 
on  symmetric  key  distribution  as  in  [2],  [3],  [6],  we 
present  a  vulnerability  metric  for  both  single  and  multiple 
path  routing  topologies.  Our  proposed  metric  captures 
the  gain  achieved  due  to  information  leakage  by  the 
joint  consideration  of  the  routing  and  key  assignment 
protocols. 

•  We  formulate  the  minimum  cost  node  capture  attack 
problem  as  a  nonlinear  integer  programming  minimiza¬ 
tion  problem  using  the  proposed  vulnerability  metric. 
We  present  the  GNAVE  algorithm,  a  Greedy  Node  cap¬ 
ture  Approximation  using  Vulnerability  Evaluation,  to 
approximate  the  minimum  cost  node  capture  attack. 

•  We  demonstrate  the  impact  of  node  capture  attacks 
using  the  GNAVE  algorithm  in  wireless  networks  with 
examples  of  both  classical  routing  and  network  coding 
protocols.  Furthermore,  we  compare  the  resource  expen¬ 
diture  required  for  node  capture  attacks  using  the  GNAVE 
algorithm  to  previously  proposed  strategies. 

The  remainder  of  this  paper  is  organized  is  follows.  In 
Section  II,  we  present  models  and  assumptions  for  the  wireless 
network,  key  assignment,  routing,  and  adversary.  In  Sec¬ 
tion  III,  we  formulate  the  minimum  cost  node  capture  attack 
problem  as  a  nonlinear  integer  programming  minimization 
problem.  We  also  derive  a  metric  for  the  vulnerability  of 
network  traffic  by  mapping  the  compromise  of  messages  to 
a  circuit  analysis  problem.  In  Section  IV,  we  analyze  the 
node  capture  attack  formulation  with  respect  to  the  circuit 
analysis  metric  and  present  the  GNAVE  algorithm  for  node 
capture.  In  Section  V,  we  present  examples  and  simulation  of 
node  capture  attacks  for  both  classical  routing  and  network 
coding  protocols.  In  Section  VI,  we  conclude  and  discuss 
future  work. 

II.  Models  and  Notation 

In  this  section,  we  introduce  models  for  the  wireless  net¬ 
work,  key  assignment,  routing,  and  adversary.  We  summarize 
the  notation  used  in  the  paper  in  Table  I. 

A.  Wireless  Network  Model 

The  network  consists  of  a  set  Nf  of  wireless  nodes.  The 
network  topology  is  represented  as  the  directed  network  graph 
Gn  =  (TV,  Ln).  The  link  set  Ln  represents  the  set  of  one-hop 
communicating  neighbors  and  is  equivalent  to  an  asymmetric 


TABLE  I 

A  SUMMARY  OF  NOTATION  IS  PROVIDED  FOR  REFERENCE. 


Symbol 

Definition 

N 

Set  of  wireless  nodes 

Ln 

Set  of  ordered  pairs  of  one-hop  neighbor  nodes 

Gn 

Network  graph  (A/*,  Ln ) 

Ki.Ci 

Sets  of  keys  and  labels  assigned  to  node  i  e  N 

Kij  ?  Lij 

Sets  of  keys  and  labels  shared  by  nodes  i  and  j 

S,V 

Sets  of  source  and  destination  nodes 

r 

Subset  of  S  x  V  of  source-destination  pairs 

Ta 

Adversary’s  target  set,  subset  of  T 

Ksd 

Set  of  paths  forming  the  route  from  s  to  d 

/tt 

Fraction  of  7Zsd  traffic  traversing  the  path  7r 

Gn(s,d) 

Route  subgraph  of  Gn  corresponding  to  7 Zsd 

c 

Subset  of  N  of  captured  nodes 

Kc,Lc 

Sets  of  compromised  keys  and  links  when  C  captured 

Wi 

Weight  or  cost  of  capturing  node  i  E  N 

hc(s ,  d) 

Route  vulnerability  of  7 Zsd  when  C  captured 

v(i,  C) 

Incremental  value  of  node  i  when  C  captured 

Rc(i,j) 

Link  resistance  of  (i,j)  when  C  captured 

Be  (fisd) 

Route  resistance  of  7 Zsd  when  C  captured 

relation  [10]  such  that  each  link  (i,  j),  i  j,  is  in  the  link  set 
Ln  if  and  only  if  node  i  can  reliably  send  a  message  to  node 
j  without  intermediate  relays. 

B.  Key  Assignment  Model 

We  assume  that  there  exist  sets  JC  of  symmetric  crypto¬ 
graphic  keys  and  C  of  corresponding  key  labels.  Each  node 
i  G  M  is  assigned  a  subset  /Q  of  JC  and  the  corresponding 
subset  Ci  of  C.  We  denote  the  set  of  keys  shared  by  nodes  i 
and  j  as  JCij  =  /C^  fl  JCj  and  allow  communication  between  i 
and  j  if  and  only  if  JCij  01.  We  assume  that  nodes  i  and  j 
use  the  entire  set  JCij  of  shared  keys  to  secure  the  link  (i,  j), 
so  the  strength  of  the  link  security  is  directly  related  to  the 
number  of  shared  keys.  We  assume  that  each  node  i  publicly 
broadcasts  the  label  set  Ci ,  allowing  each  neighboring  node  j 
to  determine  the  set  JCij  of  shared  keys,  as  discussed  in  [2]. 

C.  Routing  Model 

Let  S  and  V  respectively  denote  the  subsets  of  J\f  of  source 
and  destination  nodes.  The  set  of  source-destination  routing 
pairs  is  denoted  as  T  C  S  x  V  and  is  constructed  based  on 
the  decisions  made  by  the  routing  protocol.  A  message  from 
source  s  G  S  to  destination  d  G  V  will  traverse  one  or  more 
directed  paths  determined  by  the  routing  protocol  through  the 
network  graph  Gn.  Each  routing  path  is  defined  as  a  set  of 
sequential  links  (i,  j)  with  JCij  0  connecting  s  and  d  in 
Gn.  We  define  the  route  lZsd  as  the  set  of  all  paths  traversed 
from  s  to  d  and  the  path  weight  fn  as  the  fraction  of  traffic 
in  the  route  7 Zsd  that  traverses  the  path  it. 

The  route  lZsd  can  be  represented  graphically  by  the  route 
subgraph  Gn(s,d)  of  Gn  consisting  only  of  nodes  and  di¬ 
rected  links  traversed  by  at  least  one  path  tt  in  the  route  7 Zsd. 

We  address  three  classes  of  routing  protocols  based  on 
path  multiplicity  and  dependence  of  messages  being  routed 
along  different  paths.  The  first  class  of  protocols  yield  routes 

'This  requirement  can  be  strengthened  as  in  [3]  to  require  | JCij  \  >  q  for  a 
fixed  q  >  1,  though  we  do  not  explicitly  address  this  requirement. 
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consisting  of  a  single,  fixed  path,  as  in  AODV  or  DSR 
[11]  in  a  static  network.  The  second  class  of  protocols  yield 
routes  consisting  of  multiple  independent  paths ,  such  that  each 
message  traverses  a  potentially  different  path,  as  in  GBR  or 
GEAR  [11].  The  third  class  of  protocols  yield  routes  consisting 
of  multiple  dependent  paths  used  concurrently  such  that  each 
message  is  coded  or  fragmented  into  multiple  packets,  each 
of  which  traverses  a  separate  (not  necessarily  disjoint)  path. 
This  class  contains,  for  example,  protocols  based  on  threshold 
secret  sharing  [12]  and  network  coding  [8],  [9],  [13]  in  which 
a  set  of  coded  packets  must  be  decoded  in  order  to  recover 
the  original  message. 

D.  Adversarial  Model 

We  assume  that  the  adversary  is  bounded  to  polynomial¬ 
time  computation  and  has  sufficient  but  bounded  resources 
to  eavesdrop  on  and  record  messages  throughout  the  net¬ 
work,  capture  nodes,  and  extract  cryptographic  keys  from 
the  memory  of  captured  nodes.  We  assume  the  adversary 
has  knowledge  of  the  key  assignment  and  routing  protocols, 
including  the  route  lZsd  for  each  (s,  d)  G  T  and  the  key  label 
set  Ci  for  each  node  i. 

We  assume  that  the  primary  goal  of  the  adversary  is  to 
compromise  all  traffic  of  source-destination  pairs  in  the  target 
setTA^T  by  extracting  cryptographic  keys  from  the  memory 
of  captured  nodes  C  C  J\f  with  minimum  resource  expenditure. 
The  adversary  thus  captures  nodes  intelligently  using  the 
individual  weight  or  cost  associated  with  the  capture  of 
and  extraction  of  keys  from  the  node  i  [7].  We  do  not  address 
additional  attacks  following  the  node  capture  attack  using  the 
recovered  keys. 

III.  Attack  and  Vulnerability  Formulation 

In  this  section,  we  formulate  the  minimum  cost  node 
capture  attack  problem  as  a  nonlinear  integer  programming 
minimization  problem.  We  map  the  compromise  of  network 
traffic  to  the  flow  of  current  through  an  electric  circuit.  Using 
the  circuit  mapping,  we  formally  define  the  vulnerability  of 
traffic  traversing  the  route  7 Zsd- 

A.  Node  Capture  Attack  Formulation 

In  order  to  evaluate  the  effect  of  capturing  the  nodes  on  the 
route  lZsd ,  we  first  provide  definitions  for  the  compromise  of 
traffic  due  to  the  capture  of  nodes  in  C.  We  denote  the  set  of 
keys  recovered  by  the  adversary  in  capturing  the  subset  C  as 

£c  =  Ui  ec^i- 

Definition  1:  Any  message  which  traverses  the  link  (i,  j)  G 
Ln  is  compromised  if  /Qj  C  JCq-  We  define  the  set  Lc  C  Ln 
to  be  the  set  of  such  compromised  links. 

Using  Definition  1,  we  further  define  the  compromise  of 
paths  and  message  routes  as  follows. 

Definition  2:  The  path  i r  is  compromised  if  there  is  at  least 
one  compromised  link  (i,  j)  in  i r. 

Definition  3:  The  route  7 Zsd  for  (s,  d)  G  T4  is  compro¬ 
mised  if  every  path  7 r  G  7 Zsd  is  compromised. 

According  to  Definition  3,  any  message  sent  from  8  to  d 
is  compromised  if  the  route  lZsd  is  compromised.  Hence,  to 


compromise  all  traffic  routed  between  source-destination  pairs 
in  the  target  set  T4,  the  adversary  must  choose  a  subset  C 
that  leads  to  the  compromise  of  each  route  lZsd  for  (s,d)  G 
T4.  The  choice  of  subset  C  requiring  the  minimum  resource 
expenditure  is  thus  given  by  the  following  minimum  cost  node 
capture  problem. 


Problem:  Minimum  Cost  Node  Capture  Attack 

Given: 

Ci,  Wi  fovieAT  and  lZsd  for  (5,  d)  G  T4 

Find: 

C  C  NT 

such  that 

\  Wi  is  minimized 

iec 

and 

Hsd  is  compromised  for  all  (s,d)  G  T4. 

B.  Route  Vulnerability  Metric 

Using  Definition  3,  an  adversary  can  compute  the  fraction  of 
target  routes  compromised  due  to  the  capture  of  a  set  of  nodes 

C.  However,  this  fraction  does  not  show  how  the  set  C  should 
be  selected.  Furthermore,  the  fraction  of  compromised  target 
routes  does  not  capture  the  contribution  of  nodes  in  C  toward 
the  compromise  of  additional  routes,  as  the  compromise  of  a 
route  is  a  binary  event. 

To  adequately  capture  the  progression  toward  the  compro¬ 
mise  of  additional  routes,  we  introduce  the  metric  of  route 
vulnerability  hc{s,d ),  defined  as  follows. 

Definition  4:  The  route  vulnerability  hc(s,d )  of  the  route 
lZsd  due  to  the  capture  of  nodes  in  C  is  a  quantity  in  the  unit 
interval  [0, 1]  such  that 

1)  h0(s,  d)  =  0,  where  0  is  the  empty  set, 

2)  hc(s,d )  =  1  if  and  only  if  lZsd  is  compromised  when 
C  is  captured,  and 

3)  hc1(s,d)  >  hc2(s,d )  only  if  the  capture  of  C\  is  more 
beneficial  to  the  adversary  in  compromising  7 Zsd  than 
the  capture  of  C2. 

The  metric  of  route  vulnerability  relaxes  the  binary  notion 
of  route  compromise  to  a  continuous  measure  of  progress. 
Using  the  route  vulnerability,  we  can  devise  a  node  capture 
strategy  that  maximizes  the  progression  toward  the  goal  of 
compromising  all  routes  7 Zsd  for  (s,d)  G  T4.  The  final 
constraint  in  the  minimum  cost  node  capture  attack  problem 
can  thus  be  replaced  by  the  constraint  hc(s,d )  =  1  for  all 
(s,  d)  G  T4. 

While  the  boundary  values  of  hc(s,  d)  are  well  determined, 
condition  3)  in  Definition  4  does  not  quantify  the  intermediate 
values  of  hc(s,d).  In  the  next  section,  we  define  the  interme¬ 
diate  values  of  hc(s,d)  using  circuit  theoretic  analysis. 

C.  Mapping  Route  Compromise  to  Current  Flow 

In  this  section,  we  map  the  compromise  of  the  route  7 Zsd 
to  the  flow  of  current  through  an  electric  circuit  and  relate  the 
route  vulnerability  hc(s,d )  to  the  resistance  of  the  circuit.  We 
first  determine  the  compromise  of  a  route  !Zsd  according  to 
the  following  Proposition. 

Proposition  1:  The  route  7 Zsd  is  compromised  if  and  only 
if  the  set  Lc  of  compromised  links  contains  at  least  one  (s,d) 
edge  cut  of  the  route  subgraph  Gn(s ,  d)  as  a  subset. 
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(a) 


(b) 


(c) 


Fig.  1.  The  figure  illustrates  the  mapping  from  the  compromise  of  the  route  7 Zsd  to  the  flow  of  current  through  an  electric  circuit  8sd-  In  (a),  the  route 
subgraph  Gn(s,  d)  is  illustrated  with  the  edge  cut  of  compromised  links  indicated  by  dashed  lines.  In  (b),  the  edge  cut  is  replaced  by  the  curve  zp  directed 
from  po  to  pi.  In  (c),  the  curve  zp  is  replaced  by  a  wire,  and  a  resistor  is  inserted  in  the  wire  at  each  point  where  the  curve  zp  crosses  an  edge  (i,  j)  in 
Gn(s,d).  In  (d),  the  circuit  Esd  is  illustrated  by  combining  the  wires  and  resistors  for  each  possible  edge  cut  L.  The  diode  in  parallel  with  each  resistor 
maintains  the  orientation  of  edges  in  Gn(s,  d). 


Proof:  Suppose  that  Lc  contains  an  edge  cut  of  Gn(s ,  d). 
By  the  definition  of  an  edge  cut,  every  path  i r  from  s  to 
d  in  Gn(s,d )  necessarily  passes  through  at  least  one  link 
in  the  edge  cut.  By  Definition  2,  every  path  7 r  in  7 Zsd  is 
compromised,  implying  by  Definition  3  that  the  route  itself 
is  compromised. 

Next,  suppose  that  7 Zsd  is  compromised.  Then,  by  Defini¬ 
tion  2  and  Definition  3,  there  is  at  least  one  compromised  link 
(inJir)  in  each  path  i r  e  Ksd ,  so  let  L  =  {(in,jw)  :  i r  G 
1Zsd}  C  Lc .  Since  every  path  i r  traverses  at  least  one  edge  in 
L,  L  is  an  edge  cut  of  Gn(s ,  d).  ■ 

Proposition  1  thus  implies  that  the  task  of  compromising  the 
route  can  be  reduced  to  that  of  compromising  an  edge  cut  of 
Gn(s,d )  by  capturing  the  set  of  nodes  C.  We  thus  show  that 
the  compromise  of  the  edge  cut  L  of  Gn(s,d)  is  equivalent 
to  the  flow  of  current  along  a  path  through  an  electric  circuit. 
The  mapping  is  described  by  the  following  sequence  of  steps 
and  illustrated  in  Fig.  1. 

Step  1:  The  edge  cut  L  is  illustrated  as  a  continuous, 
directed  curve  zp  which  crosses  Gn(s,d)  [14],  crossing  only 
the  edges  in  L  in  a  direction  perpendicular  to  each  edge.  The 
set  of  compromised  edges  forming  the  edge  cut  L  in  Fig.  1(a) 
thus  corresponds  to  the  curve  zp  in  Fig.  1(b). 

Step  2:  The  curve  zp  crossing  Gn(s,d )  is  mapped  to  a 
wire  carrying  electric  current  from  the  starting  point  po  to  the 
ending  point  p\  of  zp.  To  represent  the  cost  associated  with 
the  capture  of  nodes  in  C  to  compromise  the  edge  cut  L ,  a 
resistor  of  resistance  Rc{fj )  is  inserted  at  the  point  in  the 
wire  where  the  curve  zp  crosses  the  edge  (i,j)  £  L.  The 
curve  zp  in  Fig.  1(b)  thus  maps  to  the  resistive  current  path 
from  po  to  pi  in  Fig.  1(c). 

Step  3:  The  resistive  current  paths  for  each  edge  cut  L  of 
the  graph  Gn(s,d)  are  then  combined  into  an  electric  circuit 
£sd  with  a  single  resistor  of  resistance  Rc(i,j)  corresponding 
to  each  edge  (i,j)  in  Gn(s,d).  The  circuit  £sd  in  Fig.  1(d) 
thus  consists  of  all  current  paths  from  po  to  p\  such  as  that  in 
Fig.  1(c).  The  cost  of  compromising  the  route  1Zsd  is  then 
proportional  to  the  equivalent  resistance  of  £sd.  Since  the 


resistors  in  £sd  are  in  one-to-one  correspondence  with  the 
edges  in  Gn(s,d ),  the  circuit  is  related  to  the  dual  graph  of 

Gn(s,d). 

In  certain  cases,  the  orientation  of  edges  in  Gn(s,d )  can 
lead  to  inconsistencies  between  edge  cuts  and  current  paths. 
For  example,  consider  the  edge  cut  L  =  {(s,  1),  (4,  d)} 
of  Gn(s,d)  in  Fig.  1(a).  If  the  direction  of  the  edge 
(1,4)  is  ignored,  L  is  no  longer  an  edge  cut,  as  the 
path  {(5,  2),  (2, 4),  (4, 1),  (1,  3),  (3,  d)}  is  not  compromised. 
Hence,  the  mapping  must  incorporate  edge  orientation.  For  ex¬ 
ample,  in  Fig.  1(a),  the  corresponding  circuit  must  be  modified 
such  that  the  current  flow  incurs  a  cost  dfc(l,  4)  in  traversing 
the  resistor  toward  pi  but  no  cost  in  the  other  direction.  This 
can  be  achieved  by  inserting  an  ideal  diode  in  parallel  with  the 
resistor.  Hence,  the  circuit  mapping  is  completed  by  inserting 
an  ideal  diode  in  parallel  with  each  resistor  in  the  circuit 
according  to  the  edge  direction  in  Gn(s,d),  as  in  Fig.  1(d). 

We  note  that  the  final  step  of  combining  resistive  current 
paths  into  an  electric  circuit  in  Step  3  is  well-defined  only  if 
the  graph  Gn(s,  d)  with  the  additional  edge  (d,  s)  is  a  planar 
graph ,  i.e.  only  if  Gn(s,d)  with  (d,  s)  such  that  no  edges 
intersect.  This  is  due  to  the  fact  that  the  mapping  above  yields 
an  electric  circuit  obtained  as  the  planar  graph  dual  [14]  of 
Gn(s,  d)  with  (d,  s ).  Hence,  an  alternate  approach  is  required 
when  Gn(s,  d)  with  (d,  s )  is  not  a  planar  graph.  For  example, 
if  the  edge  (2,3)  is  added  to  the  graph  Gn(s,d)  in  Fig.  1(a), 
the  resulting  route  cannot  be  analyzed  using  the  planar  graph 
dual. 

To  overcome  the  lack  of  a  graph  dual  for  non-planar  graphs, 
we  provide  a  mapping  using  the  circuit  dual  [15]  based  on 
the  duality  of  components  and  parameters  in  circuit  analysis. 
In  particular,  the  circuit  £sd  can  be  constructed  directly  from 
Gn(s,d)  by  replacing  each  directed  edge  (i,j)  by  a  resistor 
of  resistance  Rc(i,  j)-1  and  a  parallel  diode  allowing  current 
to  flow  from  j  to  i.  The  cost  of  compromising  the  route  7 Zsd 
is  then  inversely  proportional  to  the  equivalent  resistance  of 
£sd.  The  circuit  £sd  for  the  non-planar  case  resulting  from  the 
addition  of  the  edge  (2,  3)  to  Gn(s,  d)  in  Fig.  1(a)  is  illustrated 
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Fig.  2.  The  route  subgraph  Gn(s,d)  in  Fig.  1(a)  is  made  non-planar  by 
adding  the  edge  (2,  3).  The  resulting  electric  circuit  £sd  is  illustrated. 


Fig.  3.  The  route  resistance  Rc({tt})  of  the  single  path  route  7 Zsc[  =  {7r} 
is  given  by  (1)  as  the  equivalent  resistance  of  the  parallel  resistors  Rc(i,j)- 


in  Fig.  2.  We  next  show  how  circuit  analysis  techniques  can 
be  used  in  computing  the  route  vulnerability  hc(s,d )  from  the 
electric  circuit  £sd- 


D.  A  Measure  of  Vulnerability  of  Network  Traffic 

In  this  section,  we  define  the  route  vulnerability  hc(s,d ) 
of  the  route  lZsd  as  a  function  of  the  equivalent  resistance  of 
the  electric  circuit  £sd.  We  first  provide  a  definition  of  the 
resistance  values  Rc(i,j)  for  the  resistors  in  the  circuit  £sd- 

Definition  5:  The  link  resistance  Rc(i,j)  of  the  resistor  in 
£sd,  for  both  the  planar  and  non-planar  circuit  mappings,  is 
equal  to  the  number  of  keys  securing  the  link  (i,j)  that  are 
not  compromised  and  is  given  by  Rc(i,j)  =  |/Qj  \JCq  |. 

We  note  that  the  link  resistance  values  are  a  measure  of  the 
resilience  of  individual  links  to  the  capture  of  nodes  in  C.  In 
the  planar  circuit  mapping,  the  overall  resistance  of  the  circuit 
£sd  is  thus  inversely  proportional  to  the  ease  with  which  the 
adversary  compromises  the  route  7Zsd-  In  contrast,  the  overall 
resistance  of  the  circuit  £sd  in  the  non-planar  circuit  mapping 
is  directly  proportional  to  the  ease  with  which  the  adversary 
compromises  7Zsd-  We  thus  provide  the  following  definition 
for  the  resistance  of  the  circuit  £sd  in  each  case. 

Definition  6:  The  route  resistance  Rc(Hsd )  is  defined  as 
the  resilience  of  the  route  7 Zsd  to  the  capture  of  nodes  in 
C.  In  the  planar  circuit  mapping,  Rc(Rsd)  is  the  equivalent 
resistance  of  the  circuit  £sd-  In  the  non-planar  circuit  mapping, 
Rc^sd)-1  is  the  equivalent  resistance  of  the  circuit  £sd. 

We  note  that  the  link  resistance  is  a  function  only  of  the  key 
assignment  protocol,  while  the  route  resistance  is  a  function 
of  both  the  key  assignment  and  routing  protocols. 

We  next  define  the  route  vulnerability  hc(s,  d)  as  a  function 
of  the  route  resistance  Rc{Rsd )•  Definitions  5  and  6  imply  that 
a  link  or  route  is  more  vulnerable  to  attack  when  the  link  or 
route  resistance  is  smaller,  in  the  same  manner  that  current 
flows  easier  through  a  path  of  smaller  resistance.  Hence,  we 
define  the  route  vulnerability  to  be  inversely  proportional  to 
the  route  resistance.  To  satisfy  the  conditions  of  Definition  4, 
the  route  vulnerability  hc(s,d )  is  defined  as  follows. 

Definition  7:  The  route  vulnerability  is  defined  as 


hc{s,d) 


1  /  1  +  R0  (Usd)  _  1 \ 

R0  (R'sd)  \  1  +  Rc  (Rsd)  ) 


where  0  denotes  the  empty  set.  Conditions  1)  and  2)  in 
Definition  4  are  trivially  satisfied  by  this  definition,  and 
condition  3)  is  satisfied  by  noting  that  hc(s,d)  is  inversely 
proportional  to  the  route  resistance  Rc(s,d)  which  measures 
the  resilience  of  the  route  to  the  capture  of  nodes  in  C. 


The  evaluation  of  the  route  vulnerability  hc(s,d )  varies 
between  single,  multiple  independent,  and  multiple  dependent 
path  routing  protocols  as  a  function  of  the  equivalent  resistance 
of  the  circuit  £sd.  Hence,  we  address  the  three  cases  separately 
by  denoting  the  route  vulnerability  as 
and  hc(sffi)  for  single,  multiple  independent,  and  multiple 
dependent  path  protocols,  respectively. 

For  single  path  routing  protocols,  the  route  lZsd  is  given  by 
a  single  directed  path  it  from  the  source  5  to  the  destination  d. 
The  circuit  mapping  using  the  planar  graph  dual  can  thus  be 
applied.  As  illustrated  by  Fig.  3,  the  equivalent  circuit  £sd  for 
lZsd  =  {tt}  is  a  parallel  combination  of  link  resistors  Rc(i,j) 
for  (i,  j)  G  it.  Hence,  the  route  resistance  Rc({tt})  is  given 
by  _i 

tfc(W)=  (  £  ifc(M)-1]  •  (1) 


The  route  vulnerability  hf>(s,d)  is  thus  given  by  Definition  7 
and  (1)  as 


h£(s,d) 


1  / 1  +  R0  ({?r})  _  \ 

i?0(M)  \1  +  Rc({n})  j' 


(2) 


In  the  case  of  multiple  independent  path  routing  protocols, 
the  adversary  can  compromise  messages  traversing  individ¬ 
ual  paths  without  compromising  the  route.  In  particular,  the 
compromise  of  each  path  it  G  7 Zsd  yields  the  compromise 
of  a  fraction  of  the  traffic  from  5  to  d.  Hence,  the  route 
vulnerability  can  be  computed  using  (1)  and  (2)  as 


hc(s,d)=  Uhc(s’d)-  (3) 


For  multiple  dependent  path  routing  protocols,  messages 
from  s  to  d  are  compromised  only  when  the  entire  route  lZsd 
is  compromised.  Hence,  the  route  vulnerability  is 

given  directly  by  Definition  7  using  the  equivalent  resistance 

Rc(Rsd)- 


IV.  A  Heuristic  Node  Capture  Algorithm  using 
Route  Vulnerability 

Given  the  definition  of  route  vulnerability  metric  hc(s,d ) 
derived  in  Section  III-D,  we  now  propose  a  heuristic  algorithm 
which  iteratively  captures  those  nodes  which  maximize  the 
increase  in  route  vulnerability. 

Based  on  the  definition  of  path  compromise  in  Definition  2 
and  the  circuit  analysis  techniques  used  to  define  the  route 
vulnerability,  the  metric  hc(sffi)  is  nonlinear  in  the  entries  of 


6 


C.  Hence,  the  minimum  cost  node  capture  attack  formulated  in 
Section  III-A  is  a  nonlinear  integer  programming  minimization 
problem. 

Due  to  the  fact  that  integer  programming  minimization  is  an 
NP-hard  problem  [10],  [16]  and  because  of  the  nonlinearity 
of  hc(s,d ),  we  propose  the  use  of  a  greedy  heuristic  that 
iteratively  adds  nodes  to  C  based  on  the  increase  in  route 
vulnerability  hc{s ,  d ).  The  heuristic  is  thus  similar  to  a  known 
greedy  heuristic  for  set  covering  [17]  and  linear  integer  pro¬ 
gramming  [16].  However,  due  to  the  nonlinearity  in  hc(s,d ), 
the  worst-case  performance  of  the  greedy  heuristic  cannot  be 
analyzed  using  the  ratio  bound  analysis  in  [10],  [16],  [17]  and 
is  left  as  an  open  problem  for  our  future  research. 

Though  any  appropriate  heuristic  will  eventually  lead  to 
the  compromise  of  all  routes  lZsd  for  (s,d)  £  T4,  it  may 
be  beneficial  to  the  adversary  to  attempt  to  maximize  the 
vulnerability  resulting  from  the  capture  of  each  individual 
node  using  the  information  recovered  from  previously  captured 
nodes.  The  contribution  of  a  node  i  is  given  by  the  increase  in 
route  vulnerability  hcu{i}(s,  d)  —  hc(s ,  d)  due  to  the  addition 
of  i  to  C,  weighted  by  the  adversary’s  preference  for  lZsd  over 
other  routes,  indicated  by  a  non-negative  weight  vsd .  The  value 
of  each  node  i  is  thus  defined  as  follows. 

Definition  8:  The  individual  incremental  node  value  of 
adding  node  i  £  J\f  to  C  is  defined  as 

u(i,C)=  vsd  (hCu{i}(s,d)  -  hc{s,d))  . 

( s,d )  Cl'Ta 

To  maximize  the  cost-effectiveness  of  the  node  capture 
attack  at  each  iteration,  the  adversary  chooses  to  capture 
the  node  with  maximum  value  per  unit  cost  v(i,C)/wi. 
Based  on  this  greedy  approach,  we  propose  the  GNAVE 
algorithm,  where  GNAVE  stands  for  Greedy  Node  capture 
Approximation  using  Vulnerability  Evaluation. 

GNAVE  Algorithm 

Given:  Wi  for  i  £  A/”,  lZsd  for  (s,  d)  £  T4 

C  <-  0 

while  there  exists  (s,d)  £  T4  with  hc(s,d )  <  1  do 
i*  argmax^jv  i/(i,  C)/wi 

end  while 

Each  iteration  of  the  GNAVE  algorithm  is  executed  as 
follows.  The  adversary  constructs  the  electric  circuit  £sd  for 
a  given  route  7 Zsd  and  set  C  of  captured  nodes  in  order 
to  compute  the  route  vulnerability  hc(s,d).  For  each  node 
i  £  M  \  C,  the  circuit  £sd  is  then  modified  by  updating  the 
link  resistance  values  with  respect  to  the  keys  that  would 
be  compromised  if  node  i  was  captured.  The  potential  route 
vulnerability  /icu{i}(5?  d)  is  then  computed  using  the  equiva¬ 
lent  resistance  of  the  modified  circuit.  The  increase  in  route 
vulnerability  is  aggregated  over  all  routes  7 Zsd  for  (s,d)  £  T4, 
yielding  the  node  value  z/(i,C)  as  in  Definition  8.  The  impact 
of  the  GNAVE  algorithm  is  demonstrated  in  Section  V  through 
examples. 
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Fig.  4.  Sources  sj  sense  an  event  and  send  reports  to  the  destinations  dj 
via  single  path  routes  using  relay  nodes  ij.  Each  link  (i,j)  is  labeled  with 
the  number  of  shared  keys  \JCij\. 


V.  Case  Study 

In  this  section,  we  illustrate  the  application  of  the  route 
vulnerability  metric  hc(s,d )  and  the  GNAVE  algorithm  via 
two  examples.  We  first  analyze  attacks  on  a  single  path  routing 
protocol  in  a  wireless  sensor  network  using  key  predistribution 
[2],  [3],  [6].  We  then  analyze  attacks  on  a  randomized  net¬ 
work  coding  protocol  [13]  in  a  static  wireless  network  using 
symmetric  broadcast  keys.  For  each  case,  we  illustrate  a  node 
capture  attack  in  detail  and  provide  simulation  results  for  a 
large-scale  network.  In  both  cases,  we  assume  that  the  source 
and  relay  nodes  are  low-level  sensor  nodes  and,  hence,  set  the 
node  capture  cost  wi  for  each  source  Sj  and  relay  ij  to  unity. 
We  similarly  assume  the  sink  nodes  are  higher-level  devices 
equipped  with  tamper-resistant  hardware  and,  hence,  set  the 
node  capture  cost  Wi  for  each  destination  dj  to  infinity.  Under 
these  assumptions,  the  metric  of  minimum  cost  reduces  to  the 
minimum  number  of  captured  nodes. 

For  the  large-scale  network  simulations,  we  compare  the 
results  of  the  following  five  node  capture  strategies. 

1)  Nodes  are  captured  independently  at  random,  serving  as 
the  baseline  performance  for  the  adversary. 

2)  Nodes  are  captured  iteratively  to  maximize  the  number 
of  compromised  keys  \1Cc\-  The  node  i  with  maximum 
\Ki  \ICc\  is  captured  using  information  leaked  from  the 
key  assignment  protocol  [7]. 

3)  Nodes  are  captured  iteratively  to  maximize  the  number 
of  compromised  links  \Lq\.  The  node  i  which  compro¬ 
mises  the  maximum  number  of  additional  links  is  cap¬ 
tured  using  information  leaked  from  the  key  assignment 
protocol  [7]. 

4)  Nodes  are  captured  iteratively  to  maximize  the  amount 
of  network  traffic  routed  through  captured  nodes. 

5)  Nodes  are  captured  using  the  GNAVE  algorithm  and  the 
route  vulnerability  metric  hc{s,d ),  using  information 
from  both  the  routing  and  key  assignment  protocols. 

A.  Key  P redistribution  in  Wireless  Sensor  Networks 

We  first  evaluate  the  route  vulnerability  for  routes  in  a 
wireless  sensor  network  using  a  single  path  routing  protocol 
with  keys  assigned  to  sensor  nodes  prior  to  deployment  using 
key  predistribution  [2],  [3],  [6].  In  this  example,  we  address  the 
sensor  network  topology  given  in  Fig.  4  with  keys  distributed 
to  nodes  as  follows. 
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Single  Path  Multiple  Independent  Path 


Multiple  Dependent  Path 


(a)  (b)  (c) 

Fig.  5.  The  five  node  capture  strategies  are  illustrated  for  a  wireless  sensor  network  of  \J\f  \  =  500  nodes  for  (a)  single  path,  (b)  multiple  independent  path, 
and  (c)  multiple  dependent  path  routing. 


JCS1  {fe,  ,  ^5,  &7 } 

K^d\  —  {/Cl , /u2 ,  ^3 ,  ^4 } 
fc-'il  —  \k2i  ^4,  ^8,  ^lo} 
/C^3  —  ,  &7 ,  /Cnj" 

/Cig  —  "(An  , /c4 , /Cg , /Cio  } 
/C^7  —  {&)4,  ^5,  ^65  ^9} 


/CS2  —  "f  7  ^6  5  ^8  5  ^9  } 
A^cJ2  —  {^3,  ^65  ^85  ^lo} 
A^i2  —  \k2i  ^4,  ^5,  ^7} 
/C^4  —  {/ci ,  &6 ,  ^9 ,  ^11 } 

/C<6  —  {^3,  ^4,  ^7,  ^8^ 


To  demonstrate  how  each  link  is  secured  using  the  assigned 
keys  JCi,  we  note  that  nodes  i 2  and  77  share  keys  /Q2i7  = 
{^4,  ^5}-  The  link  (i2,  27)  is  thus  secure  as  long  as  {^4,^5} 
ICc- 

The  route  resistance  of  each  of  the  four  source-destination 
routes  illustrated  in  Fig.  4  can  be  computed  using  (1)  with  the 
link  resistance  of  each  link  (i,  j)  given  by  Definition  5.  Using 
the  route  vulnerability  metric  h^(s^d)  in  (2)  and  the  GNAVE 
algorithm,  the  first  captured  node  is  chosen  by  evaluating  the 
incremental  value  z/(i,  0)  for  each  node  i,  provided  in  Table  II. 

To  demonstrate  the  computation  of  the  quantities  in  Table  II, 
we  consider  the  source-destination  pair  («s2  ?  <^1 )  in  the  fourth 
column  of  Table  II.  The  route  1ZS2d1  =  {77}  consists  of  a  single 
path  7 r  =  {(s2,i7),  (i7,i4),  (74,^3),  so  the  route 

resistance  R0({tt})  prior  to  the  attack  is  equal  to  the  parallel 
resistance  of  the  four  link  resistors.  As  indicated  in  Fig.  4, 
each  link  resistor  in  7r  has  a  resistance  of  2  when  C  =  0,  so 
R0  {R'S2di )  =  1/2  by  (1).  If  node  75  is  added  to  C,  the  links  in 
7 r  will  have  corresponding  link  resistances  itfr^5}(,s2, 77)  =  2, 
R{i5}(i7,i 4)  =  2,  R{i5}(U,h)  =  1,  and  =  1 

by  Definition  5.  Hence,  by  (1),  -R{z5> ({tt})  =  1/3.  The  route 
vulnerability  h^i5y(s2,  d\)  is  thus  given  by  (2)  as 

hUM)  =  172  (]^$  -  i)  =  !/4- 

As  indicated  in  Table  II,  the  first  node  added  to  C  using 
GNAVE  is  node  75  with  the  value  z/(is,  0)  =  3.25.  We  note 
that  the  choice  of  node  75  is  not  obvious  given  the  routing 
topology  in  Fig.  4.  In  fact,  based  on  the  topology  alone,  it 
appears  as  though  nodes  i2,  ,  and  ij  would  all  be  better 

choices  as  two  of  the  four  routing  paths  traverse  these  nodes. 
However,  when  considering  the  compromise  of  non-incident 


TABLE  II 

The  route  resistance,  route  vulnerability,  and  node  value  are 

COMPUTED  FOR  EACH  NODE  i  IN  THE  NETWORK  IN  FlG.  4. 


i 

hu}(s,d) 

u(z,  0) 

(si,di) 

(si,d2) 

(>2,di) 

(52,  d2) 

si 

0,1 

0,1 

2/5, 1/7 

2/5, 1/7 

2.29 

S2 

3/7,3/20 

6/17,3/23 

0,1 

0,1 

2.28 

h 

0,1 

0,1 

1/2,0 

0,1 

3 

12 

0,1 

0,1 

1/2,0 

2/5, 1/7 

2.29 

^3 

1/3,7/24 

2/7,  7/27 

0, 1 

1/2,0 

1.55 

u 

3/7,3/20 

3/7,0 

0,1 

1/2,0 

1.15 

^5 

0,1 

0,1 

1/3, 1/4 

0,1 

3.25 

^6 

0,1 

0,1 

2/5, 1/7 

0,1 

3.14 

*7 

0,1 

0,1 

0, 1 

2/5, 1/7 

3.14 

links  throughout  the  network  due  to  the  recovery  of  keys,  the 
capture  of  75  is  more  beneficial  to  the  adversary. 

In  order  to  observe  the  performance  of  node  capture  attacks 
in  a  large-scale  wireless  sensor  network,  we  also  simulated  the 
five  node  capture  attacks  above  for  each  of  the  three  routing 
protocol  classes:  single  path,  multiple  independent  path,  and 
multiple  dependent  path  routing. 

Each  simulation  was  performed  for  a  network  of  \J\f\  =  500 
nodes  with  |/Q|  =  50  randomly  selected  keys  for  each  node 
i  G  AT  and  deployed  with  an  average  of  25  neighbors.  The 
subsets  <S,  V  C  M  were  randomly  selected  such  that  \S\  =  100 
and  \V\  =  10.  Each  source  node  chose  to  route  messages  to 
the  nearest  three  of  the  10  destination  nodes.  In  our  simulation, 
we  implemented  geographic  forwarding  with  a  hop-count 
mechanism  to  avoid  routing  loops  and  geographic  dead-ends 
[11].  For  single  path  routing,  the  next  hop  neighbor  was  chosen 
as  the  neighbor  closest  to  the  destination  with  a  lower  or  equal 
hop  count,  while  for  multiple  (independent  and  dependent) 
path  routing,  three  such  neighbors  were  chosen.  For  multiple 
dependent  path  routing,  we  assume  that  any  minimum  edge 
cut  is  sufficient  to  reconstruct  the  original  message. 

Fig.  5  illustrates  the  node  capture  attacks  on  each  of  the 
three  cases  of  single  path,  multiple  independent  path,  and 
multiple  dependent  path  routing.  We  note  that  the  node  capture 
attack  using  the  GNAVE  algorithm  requires  the  capture  of 
significantly  fewer  nodes  for  all  three  routing  protocol  classes 


d 


Fig.  6.  The  network  and  shared  broadcast  keys  are  illustrated  for  three 
sources  s  1,  s2,  and  S3  multicasting  messages  to  groups  {d\ ,  d2,  d3,  d^}, 
{d2,  d3:  d 4},  and  {ch ,  cfo,  c?3 },  respectively.  Each  node  is  joined  by  edges  to 
the  set  of  neighbors  which  can  receive  secure  broadcast  transmissions. 


compared  to  the  first  four  attacks.  In  comparing  Fig.  5(b)  and 
Fig.  5(c),  we  note  that  the  dependence  of  messages  traversing 
different  paths  prevents  the  quick  increase  in  the  compromise 
of  traffic  for  a  small  number  of  captured  nodes.  However,  the 
number  of  captured  nodes  \C\  required  to  compromise  all  target 
traffic  is  only  slightly  increased.  Hence,  although  multiple  path 
routing  is  more  resilient  to  the  capture  of  a  small  number 
of  nodes  compared  to  single  path  routing,  the  same  resource 
expenditure  is  required  to  compromise  all  traffic  in  all  three 
cases. 

To  compare  the  five  different  node  capture  strategies,  we 
compare  the  number  of  nodes  required  to  compromise  80%  of 
network  traffic,  approximately  40,  32,  27,  16,  and  10  for  the 
five  attacks  on  single  path  routing.  Hence,  the  total  resource 
expenditure  due  to  the  capture  of  nodes  in  C  using  the  route 
vulnerability  metric  hc(s ,  d)  is  25  —  65%  of  that  required  by 
the  first  four  simulated  strategies. 

B.  Network  Coding  with  Symmetric  Broadcast  Keys 

We  next  evaluate  the  route  vulnerability  using  random¬ 
ized  network  coding  combined  with  symmetric  key  encrypted 
broadcasts.  A  unique  broadcast  key  is  assigned  to  each  node 
and  a  random  subset  of  its  neighbors.  In  this  example,  we 
address  the  network  topology  given  in  Fig.  6.  The  follow¬ 
ing  periodic  broadcast  schedule  demonstrates  how  broadcast 
messages  propagate  through  the  network  using  randomized 
network  coding  at  each  time  t. 


t 

Sender 

Message 

0 

si 

Xi 

S2 

x2 

S3 

x3 

1 

Z5 

a5xi 

ii 

Oi\X\ 

17 

OL7X2 

2 

IQ 

OLQX2  +  Pq(ql$Xi) 

Z3 

a3x3  +  /33(aixi) 

3 

12 

OL2X3  +  @2(01.1X1) 

u 

04X3  +  ^4(07^2)  +  74(03^3  +  P3{oLlXl)) 

Each  message  is  broadcast,  encrypted  and  authenticated  with 
the  corresponding  keys,  to  each  key  sharing  neighbor,  as 
indicated  in  Fig.  6.  The  parameters  c^,  fy,  and  7 \  are  randomly 
selected  network  coding  coefficients  chosen  from  a  given  finite 
field  [13]. 


Fig.  7.  The  electric  circuit  £S2d3  is  illustrated  for  the  route  KS2d3  in  the 
network  of  Fig.  6.  The  label  on  each  resistor  provides  the  link  resistances 
Rc(i,j)  for  both  C  =  0  and  C  =  {25}  for  each  link 


Since  the  example  network  in  Fig.  6  is  planar,  the  route 
resistance  of  each  of  the  ten  source  to  destination  routes  can 
be  computed  by  constructing  the  corresponding  circuit  using 
the  planar  graph  dual  as  illustrated  in  Section  III-C.  The  use 
of  distinct  broadcast  keys  suggests  that  a  single  key  is  used  to 
secure  each  directed  link  (z,  j).  Using  the  route  vulnerability 
metric  in  Section  III  for  dependent  path  routing  protocols  and 
the  GNAVE  algorithm,  the  adversary’s  choice  for  the  first 
captured  node  is  given  by  evaluating  the  incremental  value 
z/(z,  0)  for  each  node  z.  The  evaluation  of  node  value  z/(z,  0) 
is  given  in  Table  III. 

To  demonstrate  the  computation  of  the  quantities  in  Ta¬ 
ble  III,  we  consider  the  source-destination  pair  (82,  d%)  in  the 
seventh  column  of  the  table  and  illustrate  the  computation  of 
the  route  resistance  R^i5y(lZS2d3)  and  the  route  vulnerability 
^4 ^5>  (^2 ’  ^3)  due  t0  ^e  capture  of  node  Z5.  Based  on  the 
randomized  network  coding  protocol,  the  route  consists  of  the 
three  paths  7Ti  =  {(s2,  i6),  {k ,d3)},  7t2  =  {(s2,i7),  (i7,d3)}, 
and  7T3  =  {(.s-2,  *7),  (i7,  *4),  (v'4,  d3)}.  The  equivalent  electric 
circuit  for  the  route  7 ZS2d3  is  thus  given  in  Fig.  7  with  resistor 
values  given  for  both  C  =  0  and  C  =  {25}. 

Using  resistive  circuit  evaluation,  the  equivalent  resistance 
of  the  circuit  in  Fig.  7  is  R0(JZS2d3 )  =  11/10  for  C  =  0  and 
R{i5}(RS2d3)  =  3/5  for  C  =  {25}.  The  route  vulnerability 
h{i5} (s2,ds)  is  thus  given  by  Definition  7  as 


hfi5}(s2,d3) 


1 

11/10 


7  +  11/10  7 

V 1+3/5  J 


=  25/88. 


As  indicated  in  Table  III,  the  first  node  added  to  C  using  the 
GNAVE  algorithm  is  node  Z5  with  the  value  ^(25,  0)  =  5.73. 

We  next  simulated  the  performance  of  node  capture  attacks 
in  a  large-scale  network  using  randomized  network  coding 
[13].  The  implementation  of  randomized  network  coding  in 
this  example  combines  network  coding  with  geographic  flood¬ 
ing,  in  that  coded  packets  are  only  propagated  in  the  direction 
of  the  destination  nodes  using  a  hop  count  mechanism  to  avoid 
geographic  dead-ends  [11].  Broadcast  keys  were  assigned 
randomly  within  each  neighborhood,  in  that  each  neighbor  of  a 
node  is  in  the  key- sharing  subset  with  probability  p  computed 
to  guarantee  a  connected  network  with  high  probability  [2], 
[6] .  Each  node  in  the  network  thus  receives  encrypted  packets 
from  upstream  neighbors,  decrypts  each  packet,  computes 
a  linear  combination  of  the  coded  packets  using  random 
coefficients,  and  encrypts  and  forwards  the  resulting  packet 
to  downstream  neighbors.  Similar  to  the  previous  example, 
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TABLE  III 

The  route  resistance,  route  vulnerability,  and  node  value  are  computed  for  each  NODE  i  IN  THE  NETWORK  IN  Fig.  6. 


i 

m(sV) 

u(z,  0) 

(«i,  di) 

(51,^2) 

(5i,  d3) 

(51,  d4) 

(52,  ^2) 

( 52,^3 ) 

(52,^4) 

(53,C^l) 

(53,  ^2) 

(53,  ^3) 

si 

0,1 

0,1 

0,1 

0,1 

5/6,0 

11/10,0 

1/2,0 

1/2,0 

3/5,0 

3/5,0 

4 

S2 

3/5,0 

5/4, 16/171 

1/4, 16/35 

1/2, 1/9 

0,1 

0,1 

0,1 

1/2,0 

3/5,0 

3/5,0 

3.66 

53 

1/2, 1/9 

4/3,9/133 

1/3,9/28 

3/5,0 

1/2,4/15 

1,1/22 

1/2,0 

0,1 

0,1 

0,1 

3.81 

U 

0,1 

0,1 

0,1 

0,1 

5/6,0 

11/10,0 

1/2,0 

0,1 

1/2, 1/9 

1/2, 1/9 

5.22 

12 

0,1 

4/3,  9/133 

1/3,9/28 

3/5,0 

5/6,0 

11/10,0 

1/2,0 

0, 1 

0,1 

0,1 

4.39 

^3 

0,1 

4/3,9/133 

1/3,9/28 

3/5,0 

1/2,4/15 

1,1/22 

1/2,0 

0, 1 

0,1 

0,1 

4.70 

14 

3/5,0 

4/3,  9/133 

1/3,9/28 

3/5,0 

1/2,4/15 

1/2,4/11 

1/2,0 

0, 1 

0,1 

0,1 

4.02 

ib 

0,1 

0, 1 

0,1 

0,1 

1/3,9/20 

3/5,25/88 

0, 1 

1/2,0 

3/5,0 

3/5,0 

5.73 

^6 

3/5,0 

5/4,16/171 

1/4, 16/35 

0,1 

0, 1 

0,1 

0, 1 

1/2,0 

3/5,0 

3/5,0 

4.55 

*7 

3/5,0 

4/3,9/133 

1/3,9/28 

3/5,0 

0, 1 

0, 1 

0, 1 

1/2,0 

0,1 

0,1 

5.39 

Network  Coding  with  Broadcast  Keys 


Fig.  8.  Node  capture  attacks  are  performed  using  five  node  capture  strategies 
for  a  randomized  network  coding  protocol  using  broadcast  keys  in  a  wireless 
network  of  \Af\  =  500  nodes. 

we  compare  the  five  node  capture  strategies  to  compromise 
all  target  traffic  in  the  network. 

The  simulation  was  performed  for  a  network  of  \J\f\  =  500 
randomly  deployed  nodes  with  an  average  of  25  neighbors. 
The  subsets  S,V  C  j\f  were  randomly  selected  such  that 
| S |  =  100  and  \V\  =  10.  Each  source  node  chose  to  route 
each  message  to  the  nearest  three  of  the  10  destination  nodes. 
Fig.  8  illustrates  the  performance  of  the  node  capture  attack. 
As  seen  in  Fig.  8,  the  use  of  the  GNAVE  algorithm  with 
the  route  vulnerability  metric  hc(s,d )  requires  the  capture  of 
significantly  fewer  nodes  compared  to  the  first  four  attacks.  For 
example,  to  compromise  80%  of  network  traffic,  the  five  attack 
strategies  require  36,  18,  16,  16,  and  12  captured  nodes.  Hence, 
the  total  resource  expenditure  due  to  the  capture  of  nodes  in 
C  using  the  route  vulnerability  metric  hc(s,  d )  is  35  —  75%  of 
that  required  by  the  first  four  simulated  strategies. 

VI.  Conclusion 

In  this  work,  we  analyzed  the  impact  of  node  capture 
attacks  on  the  confidentiality  and  integrity  of  network  traffic. 
We  mapped  the  compromise  of  network  traffic  to  the  flow 
of  current  through  an  electric  circuit  and  proposed  a  new 
metric  of  route  vulnerability  that  quantifies  the  resilience  of 
traffic  to  the  compromise  of  symmetric  keys.  We  formulated 
the  minimum  cost  node  capture  attack  as  a  nonlinear  integer 
programming  minimization  problem  using  the  route  vulnera¬ 
bility  metric  and  provided  a  greedy  heuristic  solution  called 
GNAVE  to  approximate  the  NP-hard  minimization  problem. 
We  showed  that  an  adversary  can  significantly  decrease  the 


resource  expenditure  by  intelligently  capturing  nodes  using 
the  proposed  route  vulnerability  metric.  Our  future  work  will 
include  probabilistic  estimation  of  route  vulnerability  when 
information  about  the  key  assignment  and  routing  protocols  is 
non-deterministic. 
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